Apple Patches Safari, Blocks Outdated Flash Player

Apple on Wednesday patched four security vulnerabilities in Safari and blocked outdated versions of Adobe's Flash Player from running in its browser.

The Flash blocking move was similar to one Apple made last month when it stopped the Java plug-in from launching automatically.

Safari 5.1.7, which runs on OS X 10.6 and 10.7 -- Snow Leopard and Lion, respectively -- as well as on Windows XP, Vista and Windows 7, was released alongside another update for Lion that included a slightly-older version of the browser. Lion users must download and install both updates to push Safari to version 5.1.7.

The four security flaws fixed were the same ones patched Tuesday in iOS 5.1.1 for the iPhone, iPad and iPod Touch. All were labeled as bugs in WebKit, the open-source rendering engine that powers Safari as well as Google's Chrome.

In fact, one of the vulnerabilities was first revealed by a researcher at the "Pwnium" hacking contest Google hosted last March. The researcher, Sergey Glazunov, was awarded $60,000 for pairing the flaw with another bug to bring down Chrome.

Glazunov was credited by Apple with reporting a second WebKit vulnerability, while another was attributed to a pair of engineers on the Chrome security team.

Along with the four patches, Apple also yanked Adobe's Flash Player from Safari if the plug-in was older than version 10.1.102.64, which released in November 2010. Since then, Adobe has shipped Flash Player 11 for the Mac. It has also continued to maintain the older version 10, which now stands at version 10.3.183.19.

"This update disables Adobe Flash Player if it is older than 10.1.102.64 by moving its files to a new directory," Apple's advisory stated Wednesday. "This update presents the option to install an updated version of Flash Player from the Adobe website."

Apple stopped bundling Flash Player with OS X in the fall of 2010, but users have been free to download and install the plug-in on their own. Microsoft last distributed Flash with the nearly-11-year-old Windows XP. Neither Windows Vista or Windows 7 included a preinstalled version of Adobe's software.

Blocking Flash was the second such move by Apple in a month: On April 12, the company issued an OS X update that disabled automatic execution of Java applets by the Java browser plug-in. Apple took the step because of Flashback, a malware family that used a Java vulnerability to infect hundreds of thousands of Macs in a spree that still continues.

"As a security hardening measure, the Java browser plug-in and Java Web Start are deactivated if they are unused for 35 days," Apple said at the time.

Java Web Start is an Oracle technology that lets users single-click launch a Java app from within a browser without first downloading the app to the machine.

Mozilla maintains a blocklist for extensions or plug-ins that cause significant security or performance issues in Firefox. The browser automatically queries the blocklist and notifies users before disabling the targeted plug-in.

According to Mozilla, it's working with Adobe on a fix to Reader but will keep the plug-in on its blocklist until one is available.

Safari 5.1.7 can be downloaded from Apple's website. Mac users will be notified of the new version automatically by OS X's Software Update, while Windows users already running Safari will be alerted by a separate tool bundled with the browser.